AutoCAD Worm Discovered by ESET

ESET Comments on new malware discovered which targets engineering drawing created by the popular AutoCAD package

ESET has uncovered a worm that targets drawings created in AutoCAD software for computer-aided design (CAD). Recently the worm, ACAD/Medre.A, showed a big spike in Peru on ESET’s Live Grid (a cloud-based malware collection system utilising data from ESET users worldwide). ESET’s research shows that the worm steals files and sends them to email accounts located in China. ESET has worked with Chinese ISP Tencent, Chinese National Computer Virus Emergency Response Center and Autodesk, the creator of AutoCAD, to stop the transmission of these files. ESET confirms that tens fof thousands of AutoCAD drawings, primarily from users in Peru, were leaking at the time of the discovery. ESET has made a free stand-alone cleaner available at ESET.com.

“After some configuration, ACAD/Medre.A sends opened AutoCAD drawings by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider,” says ESET Senior Research Fellow Righard Zwienenberg.

“ACAD/Medre.A represents a serious case of industrial espionage. Every new design is sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production. They may even have the guts to apply for patents on the product before the inventor has registered it at the patent office,” adds Zwienenberg.

ESET has made a free stand-alone cleaner available for public use. Upon the realisation of the magnitude of this threat ESET reached out to Tencent, the owner of the qq.com domain. ESET also established contact with Autodesk. Thanks to the swift actions of ESET and Tencent, the accounts used for relaying the e-mails with the drawings have been blocked and further leakage has been prevented.

ESET research teams around the globe have observed a small number of infections in other Latin American countries along with Peru. In addition, the high number of infections observed in Peru might also be explained by the fact that malware disguised as AutoCAD files may have been distributed to companies that were conducting business with public services in Peru. This leads us to think organisations in this country might have been the primary target of the ACAD/Medre.A operators. ESET is in contact with the local authorities to remediate the affected website.

“If there is one thing that becomes obvious from this piece of malware engaging in industrial espionage is that reaching out to other parties to prevent further damage really works. Without the assistance of Autodesk, Tencent and Chinese National Computer Virus Emergency Response Center which helped ESET in taking down of dropsites and delivery chains, it would have been relatively easy only to clean already affected systems, but systems that would not be cleaned could have continued to be leaking their designs,” says ESET Chief Research Officer Juraj Malcho.